{"id":34042404,"url":"https://github.com/pseudo-security/slacksecrets","last_synced_at":"2026-04-08T12:02:36.353Z","repository":{"id":54294552,"uuid":"239671176","full_name":"pseudo-security/slacksecrets","owner":"pseudo-security","description":"Scans Slack for API tokens, credentials, passwords, and more using YARA rules","archived":false,"fork":false,"pushed_at":"2021-02-26T02:45:34.000Z","size":45,"stargazers_count":40,"open_issues_count":3,"forks_count":5,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-12-15T15:19:10.063Z","etag":null,"topics":["infosec","python","security","slack","yara","yara-rules"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/pseudo-security.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-02-11T03:55:06.000Z","updated_at":"2025-06-17T13:57:28.000Z","dependencies_parsed_at":"2022-08-13T11:10:45.820Z","dependency_job_id":null,"html_url":"https://github.com/pseudo-security/slacksecrets","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/pseudo-security/slacksecrets","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pseudo-security%2Fslacksecrets","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pseudo-security%2Fslacksecrets/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pseudo-security%2Fslacksecrets/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pseudo-security%2Fslacksecrets/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/pseudo-security","download_url":"https://codeload.github.com/pseudo-security/slacksecrets/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pseudo-security%2Fslacksecrets/sbom","scorecard":{"id":747964,"data":{"date":"2025-08-11","repo":{"name":"github.com/pseudo-security/slacksecrets","commit":"63b9c84938ea526a8761964a22d91e31b31c2ab2"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":1.7,"checks":[{"name":"Code-Review","score":0,"reason":"Found 0/8 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"SAST","score":0,"reason":"no SAST tool detected","details":["Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: GNU General Public License v3.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":0,"reason":"15 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: PYSEC-2023-120 / GHSA-45c4-8wx5-qw6w","Warn: Project is vulnerable to: PYSEC-2024-24 / GHSA-5h86-8mv2-jq9f","Warn: Project is vulnerable to: GHSA-5m98-qgg9-wh84","Warn: Project is vulnerable to: GHSA-7gpw-8wmc-pm8g","Warn: Project is vulnerable to: GHSA-8495-4g3g-x7pr","Warn: Project is vulnerable to: PYSEC-2024-26 / GHSA-8qpw-xqxj-h4r2","Warn: Project is vulnerable to: GHSA-9548-qrrj-x5pj","Warn: Project is vulnerable to: PYSEC-2023-246 / GHSA-gfw2-4jvh-wgfg","Warn: Project is vulnerable to: GHSA-pjjw-qhg8-p2p9","Warn: Project is vulnerable to: PYSEC-2023-250 / GHSA-q3qx-c6g2-7pw2","Warn: Project is vulnerable to: PYSEC-2023-251 / GHSA-qvrw-v9rv-5rjx","Warn: Project is vulnerable to: PYSEC-2021-76 / GHSA-v6wp-4m6f-gcjg","Warn: Project is vulnerable to: PYSEC-2023-247 / GHSA-xx9p-xxvh-7g8j","Warn: Project is vulnerable to: PYSEC-2024-60 / GHSA-jjg7-2v4v-x38h","Warn: Project is vulnerable to: GHSA-g7vv-2v7x-gj9p"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-22T19:26:15.850Z","repository_id":54294552,"created_at":"2025-08-22T19:26:15.850Z","updated_at":"2025-08-22T19:26:15.850Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31554110,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-08T10:21:54.569Z","status":"ssl_error","status_checked_at":"2026-04-08T10:21:38.171Z","response_time":54,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["infosec","python","security","slack","yara","yara-rules"],"created_at":"2025-12-13T22:27:30.443Z","updated_at":"2026-04-08T12:02:35.985Z","avatar_url":"https://github.com/pseudo-security.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"```\n .d8888b.  888                   888       .d8888b.                                    888             \nd88P  Y88b 888                   888      d88P  Y88b                                   888             \nY88b.      888                   888      Y88b.                                        888             \n \"Y888b.   888  8888b.   .d8888b 888  888  \"Y888b.    .d88b.   .d8888b 888d888 .d88b.  888888 .d8888b  \n    \"Y88b. 888     \"88b d88P\"    888 .88P     \"Y88b. d8P  Y8b d88P\"    888P\"  d8P  Y8b 888    88K      \n      \"888 888 .d888888 888      888888K        \"888 88888888 888      888    88888888 888    \"Y8888b. \nY88b  d88P 888 888  888 Y88b.    888 \"88b Y88b  d88P Y8b.     Y88b.    888    Y8b.     Y88b.       X88 \n \"Y8888P\"  888 \"Y888888  \"Y8888P 888  888  \"Y8888P\"   \"Y8888   \"Y8888P 888     \"Y8888   \"Y888  88888P' \n\n           Created by Pseudo Security [ @pseudo_security ]               \n           https://github.com/pseudo-security/slacksecrets\n```\n\n`SlackSecrets` is a tool to discover sensitive information in Slack instances (access tokens, API keys, password hashes, etc.). It offers several modes,\n\n1. **Live monitoring** - Leverages the Real-Time Messaging API to scan messages as they're sent.\n1. **Historical** - Scans every message since the creation of the Slack workspace. This can be done with the web API _or_ with Slack's \"Export Data\" feature.\n\nSecrets are matched according to [YARA](https://github.com/virustotal/yara) rules located in the `slacksecrets/rules` directory. YARA is \"a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples.\" It offers increased flexibility over regular expressions, [as well as several other benefits](#why-yara-over-regular-expressions). All YARA rules in the directory will be auto-detected, so additional rules can be easily added. The YARA rules also contain test cases in the `meta` tags to help ensure the rules are correctly matching text.\n\n## Getting Started\n\n`pip install slacksecrets`\n\n```\nusage: slacksecrets [-h] [--token TOKEN] [--no-banner] [--skip-db-update]\n                    [--exported-dir EXPORTED_DIR]\n                    {live,history,exported,reset}\n\npositional arguments:\n  {live,history,exported,reset}\n\noptional arguments:\n  -h, --help            show this help message and exit\n  --token TOKEN\n  --no-banner\n  --skip-db-update\n  --exported-dir EXPORTED_DIR\n```\n\n`SlackSecrets` will need a valid Slack API token. `SlackSecrets` will take a token from the command line with the `--token \u003cslack-token\u003e` option, or if a `SLACK_TOKEN` environment variable is set. The `--token` parameter will override the `SLACK_TOKEN` environment variable.\n\n### Live Slack monitoring\n\n`slacksecrets live` (if `SLACK_TOKEN` environment variable is set) or `slacksecrets live --token \u003cslack-token\u003e`.\n\nThis will listen to all messages posted to your Slack instance and scan them for any secrets that match according to the rules in the `rules` directory.\n\n### Historical Slack scanning (using web API)\n\n`slacksecrets history` (if `SLACK_TOKEN` environment variable is set) or `slacksecrets history --token \u003cslack-token\u003e`.\n\nThis scans every message since the creation of the Slack workspace that match according to the rules in the `rules` directory. Progress will be kept in a sqlite database file named `\u003cworkspace-name\u003e.db` so if progress is interrupted, messages will not be scanned multiple times. This will also reduce the likelihood of hitting Slack API's rate limiting.\n\n### Historical Slack scanning (using Slack \"Export Data\")\n\n1. Ensure you're logged into Slack's web management interface and browse to \"Import/Export Data\" (https://\u003cworkspace-name\u003e.slack.com/services/export)\n1. Choose a data range (or entire history) and click \"Start Export\"\n1. When the export is ready, download the .zip file from the \"Past Exports\" section on the page. The filename is usually `\u003cworkspace-name\u003e Slack export \u003cstart-date\u003e - \u003cend-date\u003e.zip`.\n1. Extract the file to a directory on your local machine.\n1. Run `SlackSecrets` with the `exported` command, and specify the extracted directory, like so: `slacksecrets exported --export-dir \u003cpath-to-extracted-directory\u003e`.\n\n### Resetting Historical Scanning Progress\n\n`slacksecrets reset`(if `SLACK_TOKEN` environment variable is set) or `slacksecrets reset --token \u003cslack-token\u003e`.\n\nThis is most useful if additional rules have been added or need to be tested for Historical Slack scanning (using the web API).\n\n## Testing\n\nTesting uses `pytest`, so running the tests is as simple as running `pytest` from the commandline.\n\n## Contributing\n\nThe easiest way to start contributing is to add a YARA rule.\n\n### YARA Rule Template\n\nTo ensure consistency and testability, the following template for YARA rules should be used. The meta `author`, `date`, and `description` fields should be added for each rule. If there is a link to a blog post or another resource that provides context to the rule definition, that should be included in the `reference` tag.\n\nTest cases should be in the `test_match_` and `test_no_match_` meta fields. These fields will be automatically tested as part of the build process.\n\n```yaml\nrule NameOfRule : TagsGoHere\n{\n    meta:\n        name = \"\"\n        author = \"\"\n        date = \"YYYY-MM-DD\"\n        reference = \"https://...\" /* if needed */\n\n        /* Test Cases */\n        test_match_1 = \"\"\n        test_match_2 = \"\"\n        test_no_match_1 = \"\"\n        test_no_match_2 = \"\"\n\n    strings:\n\n    condition:\n}\n```\n\n## Frequently Asked Questions\n\n### Why YARA over regular expressions?\n\nYARA natively [supports regular expressions](https://yara.readthedocs.io/en/latest/writingrules.html#regular-expressions), as well as many other useful features, such as [external variables](https://yara.readthedocs.io/en/latest/writingrules.html#external-variables), [file size](https://yara.readthedocs.io/en/latest/writingrules.html#file-size), and importantly, [metadata tags](https://yara.readthedocs.io/en/latest/writingrules.html#metadata) which are used to define test-cases within the rule file. This aims to solve an issue with existing tools that rely on regular expressions - that is, either no test cases are defined (requiring users to trust the regex is correct), or that test cases are split from the regex definition. Using the metadata tags allows the YARA rules to be included in other tools without the test-cases interfering.\n\n### Why does `SlackSecrets` use a sqlite database?\n\nThe Slack API is rate-limited and for large Slack instances, the number of messages posted may be in the tens of millions. The [`conversation.history` API call](https://api.slack.com/methods/conversations.history) is [\"Tier 3\"](https://api.slack.com/docs/rate-limits#tier_t3) which allows 50 requests per minute. The maximum number of messages returned in a given `conversation.history` request is 1000 (or 50,000 a minute or 3,000,000 an hour). `SlackSecret` uses the local sqlite database to track scanning progress in channels (so as not to repeat scanning the same messages if the scan is interrupted), uploaded files, and of course, discovered secrets.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpseudo-security%2Fslacksecrets","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpseudo-security%2Fslacksecrets","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpseudo-security%2Fslacksecrets/lists"}